Order  Code  RS21851 
May  27,  2004 


CRS  Report  for  Congress 

Received  through  the  CRS  Web 


Privacy  Protection:  Mandating  New 
Arrangements  to  Implement  and  Assess 
Federal  Privacy  Policy  and  Practice 

Harold  C.  Relyea 

Specialist  in  American  National  Government 
Government  and  Finance  Division 


Summary 


When  Congress  enacted  the  Privacy  Act  of  1974,  it  established  a  temporary 
national  study  commission  to  conduct  a  comprehensive  assessment  of  privacy  policy  and 
practice  in  both  the  public  and  private  sectors  and  to  make  recommendations  for  better 
protecting  the  privacy  of  individuals.  While  the  panel  subsequently  produced  a 
landmark  July  1977  report,  its  recommendations  were  not  legislatively  implemented. 
Nonetheless,  interest  in  creating  new  arrangements  for  better  implementing  and 
assessing  federal  privacy  policies  and  practices  continued,  the  most  recent  proposal 
offered  in  the  108th  Congress  being  legislation  (H.R.  4414)  to  designate  a  Chief  Privacy 
Officer  within  the  Office  of  Management  and  Budget,  as  well  as  privacy  officers  in  each 
principal  department  and  the  independent  agencies,  and  establish  a  temporary 
commission  to  examine  privacy  issues  related  to  the  government’ s  anti-terrorism  efforts. 
This  report  will  be  updated  as  events  warrant. 


An  expectation  of  personal  privacy  —  not  being  intruded  upon  —  seemingly  has 
long  prevailed  among  American  citizens.  By  one  assessment,  American  society,  prior  to 
the  Civil  War,  “had  a  thorough  and  effective  set  of  rules  with  which  to  protect  individual 
and  group  privacy  from  the  means  of  compulsory  disclosure  and  physical  surveillance 
known  in  that  era.”1  Toward  the  end  of  the  19th  century,  new  technology  —  the  telephone, 
the  microphone  and  dictograph  recorder,  and  improved  cameras  —  presented  major  new 
challenges  to  privacy  protection.  During  the  closing  decades  of  the  20th  century, 
extensions  of  these  and  other  new  technology  developments  —  the  computer,  genetic 
profiling,  and  digital  surveillance  —  further  heightened  anxieties  about  the  loss  of 
personal  privacy.  In  response,  Congress  has  legislated  various  privacy  protections.  To 
assist  in  this  effort,  Congress,  on  two  occasions,  has  sought  the  views  of  a  temporary 
national  study  commission. 


1  Alan  F.  Westin,  Privacy  and  Freedom  (New  York:  Atheneum,  1970),  pp.  337-338. 


Congressional  Research  Service  ❖  The  Library  of  Congress 


Report  Documentation  Page 

Form  Approved 

OMB  No.  0704-0188 

Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 

1.  REPORT  DATE 

27  MAY  2004 

2.  REPORT  TYPE 

N/A 

3.  DATES  COVERED 

4.  TITLE  AND  SUBTITLE 

5a.  CONTRACT  NUMBER 

Privacy  Protection:  Mandating  New  Arrangements  to  Implement  and 

5b.  GRANT  NUMBER 

/ibscss  reueiiti  ritvatj'  runt)  ctnu  riauitc 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROIECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

David  D.  Acker  Library,  and  Knowledge  Repository  Defense  Acquisition 
University  Fort  Belvoir,  VA  22060 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSOR/MONITOR'S  ACRONYM(S) 

11.  SPONSOR/MONITOR'S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release,  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

14.  ABSTRACT 

15.  SUBIECT  TERMS 

16.  SECURITY  CLASSIFICATION  OF: 

17.  LIMITATION  OF 
ABSTRACT 

SAR 

18.  NUMBER 

OF  PAGES 

5 

19a.  NAME  OF 
RESPONSIBLE  PERSON 

a.  REPORT 

unclassified 

b.  ABSTRACT 

unclassified 

c.  THIS  PAGE 

unclassified 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


CRS-2 


Privacy  Protection  Study  Commission 

While  the  Privacy  Act  of  1974  directly  addressed  several  aspects  of  personal  privacy 
protection,  the  statute  also  mandated  the  Privacy  Protection  Study  Commission,  a 
temporary,  seven-member  panel  tasked  to  “make  a  study  of  the  data  banks,  automated 
data  processing  programs,  and  information  systems  of  governmental,  regional,  and  private 
organizations,  in  order  to  determine  the  standards  and  procedures  in  force  for  the 
protection  of  personal  information.”2  The  commission  was  to  “recommend  to  the 
President  and  the  Congress  the  extent,  if  any,  to  which  the  requirements  and  principles 
of  [the  Privacy  Act]  should  be  applied  to  the  information  practices  of  [such]  organizations 
by  legislation,  administrative  action,  or  voluntary  adoption  of  such  requirements  and 
principles,  and  report  on  such  other  legislative  recommendations  as  it  may  determine  to 
be  necessary  to  protect  the  privacy  of  individuals  while  meeting  the  legitimate  needs  of 
government  and  society  for  information.”3 

The  commission  began  operations  in  early  June  1975  under  the  leadership  of 
chairman  David  F.  Linowes,  a  University  of  Illinois  political  economist,  educator,  and 
corporate  executive.4  The  final  report  of  the  panel,  published  in  July  1977,  offered  162 
recommendations.5  In  general,  the  commission  urged  the  establishment  of  a  permanent, 
independent  entity  within  the  federal  government  to  monitor,  investigate,  evaluate,  advise, 
and  offer  policy  recommendations  concerning  personal  privacy  matters;  better  regulation 
of  the  use  of  mailing  lists  for  commercial  purposes;  adherence  to  principles  of  fair 
information  practice  by  employers;  limited  government  access  to  personal  records  held 
by  private  sector  recordkeepers  through  adherence  to  recognized  legal  processes;  and 
improved  privacy  protection  for  educational  records.  The  panel  also  recommended  the 
adoption  of  legislation  to  apply  principles  of  fair  information  practice,  such  as  those  found 
in  the  Privacy  Act,  to  personal  information  collected  and  managed  by  the  consumer  credit, 
banking,  insurance,  and  medical  care  sectors  of  the  U.S.  economy. 

Congressional  response  to  the  commission’s  report  was  largely  positive;  some  200 
bills  incorporating  its  recommendations  were  introduced.  However,  an  effort  to  enact 
legislation  applying  fair  information  practice  principles  to  personal  information  collected 
and  managed  by  the  insurance  and  medical  care  industries  failed  in  the  final  days  of  the 
96th  Congress.  The  opposition  was  sufficient  to  discourage  a  return  to  such  legislative 
efforts  for  several  years. 

Federal  Paperwork  Commission 

In  1974,  Congress  also  established  a  temporary,  14-member  Commission  on  Federal 
Paperwork,  giving  it  a  broad  mandate  to  consider  a  variety  of  aspects  of  the  collection, 
processing,  dissemination,  and  management  of  federal  information,  including  “the  ways 


2  88  Stat.  1906. 

3  Ibid. 

4  See  David  F.  Linowes,  “The  U.S.  Privacy  Protection  Commission,”  American  Behavioral 
Scientist,  vol.  26,  May-June  1983,  pp.  577-590. 

5  U.S.  Privacy  Protection  Study  Commission,  Personal  Privacy  in  an  Information  Society 
(Washington:  GPO,  1977). 


CRS-3 


in  which  policies  and  practices  relating  to  the  maintenance  of  confidentiality  of 
information  impact  upon  Federal  information  activities.”6  The  panel  was  cochaired  by 
Representative  Frank  Horton  (R-NY)  and  Senator  Thomas  J.  McIntyre  (D-NH); 
conducted  its  work  largely  in  parallel  with  the  Privacy  Protection  Study  Commission;  and 
produced  36  topical  reports,  with  recommendations,  as  well  as  a  final  summary  report  of 
October  3, 1977. 7  One  of  these  reports  was  devoted  to  confidentiality  and  privacy.  Issued 
July  29, 1977,  it  offered  12  recommendations.8  Although  a  House  subcommittee  devoted 
a  hearing  to  the  report,  no  immediate  action  was  taken  on  its  recommendations.9 

Subsequently,  however,  a  recommended  new  organization  to  centralize  and 
coordinate  existing  information  management  functions  within  the  executive  branch  was 
realized  in  the  Paperwork  Reduction  Act  of  1980. 10  Located  within  the  Office  of 
Management  and  Budget  (OMB),  the  Office  of  Information  and  Regulatory  Affairs 
(OIRA)  was  to  assist  the  OMB  director  with  the  government- wide  information 
coordination  and  guidance  functions  assigned  to  him  by  the  act. 

Indicating  that  one  of  the  purposes  of  the  Paperwork  Reduction  Act  was  “to  ensure 
that  the  collection,  maintenance,  use  and  dissemination  of  information  by  the  Federal 
Government  is  consistent  with  applicable  laws  relating  to  confidentiality,  including ...  the 
Privacy  Act,”11  the  statute  assigned  the  OMB  director  the  several  privacy  functions:  “(1) 
developing  and  implementing  policies,  principles,  standards,  and  guidelines  on 
information  disclosure  and  confidentiality,  and  on  safeguarding  the  security  of 
information  collected  or  maintained  by  or  on  behalf  of  agencies;  (2)  providing  agencies 
with  advice  and  guidance  about  information  security,  restriction,  exchange,  and 
disclosure;  and  (3)  monitoring  compliance  with  [the  Privacy  Act]  and  related  information 
management  laws.”12  These  privacy  functions  would  be  expanded,  and  privacy 
responsibilities  would  be  specified  for  the  federal  agencies,  in  a  1 995  recodification  of  the 
act.13  In  1988,  amendments  governing  computer  matches  of  personal  information  by 
government  agencies  were  enacted.14 


6  88  Stat.  1789. 

7  U.S.  Commission  on  Federal  Paperwork,  Final  Summary  Report:  A  Report  of  the  Commission 
on  Federal  Paperwork  (Washington:  GPO,  1977). 

8  U.S.  Commission  on  Federal  Paperwork,  Confidentiality  and  Privacy:  A  Report  of  the 
Commission  on  Federal  Paperwork  (Washington:  GPO,  1977),  pp.  139-175. 

9  U.S.  Congress,  House  Committee  on  Government  Operations,  Privacy  and  Confidentiality 
Report  and  Final  Recommendations  of  the  Commission  on  Federal  Paperwork ,  hearing,  95lh 
Cong.,  1st  sess.,  Oct.  17,  1977  (Washington:  GPO,  1978). 

10  94  Stat.  2812;  44  U.S.C.  3501  et  seq. 

11  94  Stat.  2813. 

12  94  Stat.  2816. 

13  109  Stat.  163;  44  U.S.C.  3501  et  seq. 

14  102  Stat.  2507. 


CRS-4 


Pursuing  New  Privacy  Arrangements 

As  the  21st  century  approached,  heightened  interest  in  a  new  privacy  study 
commission  was  evidenced.  During  the  106th  Congress,  three  bills  were  introduced  to 
establish  a  temporary  study  commission  to  examine  personal  privacy  issues.  One  of  these 
(H.R.  4049),  offered  by  Representative  Asa  Hutchinson  (R-AR),  would  have  created  a 
17-member  Commission  for  the  Comprehensive  Study  of  Privacy  Protection  to  “conduct 
a  study  of  issues  relating  to  protection  of  individual  privacy  and  the  appropriate  balance 
to  be  achieved  between  protecting  individual  privacy  and  allowing  appropriate  uses  of 
information.”  Referred  to  the  Committee  on  Government  Reform,  the  bill  was  considered 
by  the  Subcommittee  on  Government  Management,  Information,  and  Technology.15  The 
subcommittee  amended  the  bill,  increasing  the  panel’s  funding  authorization  from  $2.5 
million  to  $5  million;  authorizing  it  to  issue  subpoenas  to  obtain  needed  information,  but 
prohibiting  the  panel  from  acquiring  any  classified  information  relating  to  national 
security;  and  reducing  the  number  of  required  field  hearings  from  20  to  10.  Further 
modified  by  the  Committee  on  Government  Reform,  the  bill  was  brought  up  on  the  floor 
on  October  2,  2000,  for  approval  under  a  suspension  of  the  House  rules,  but  the  bill  failed 
to  pass  on  a  vote  of  250  yeas  to  146  nays  (two-thirds  approval  required).16 

Representative  Hutchinson  introduced  a  modified  version  of  his  earlier  privacy 
commission  bill,  with  bipartisan  support,  in  the  107th  Congress  (H.R.  583),  but  it  was  not 
reported  by  the  Committee  on  Government  Reform.  A  companion  bill,  of  sorts,  was 
introduced  in  the  Senate,  with  bipartisan  support  (S.  851),  by  Senator  Fred  Thompson  (R- 
TN),  the  chairman  of  the  Committee  on  Governmental  Affairs,  to  which  the  bill  was 
referred.17  Unlike  the  Hutchinson  bill,  the  Thompson  measure  would  have  focused 
commission  attention  on  public  sector  privacy  issues,  including  the  extent  to  which 
federal,  state,  and  local  governments  collect,  use,  and  distribute  personal  information; 
their  compliance  with  the  Privacy  Act;  and  the  extent  to  which  individuals  can  obtain 
redress  for  privacy  violations  by  these  governments.  The  Committee  on  Governmental 
Affairs  took  no  action  on  the  legislation. 

In  the  108th  Congress,  Representative  Kendrick  Meek  (D-FL)  introduced,  for  himself 
and  25  cosponsors,  on  May  20,  2004,  a  bill  (H.R.  4414)  requiring  the  presidential 
designation  of  a  senior  official  within  OMB  as  the  Chief  Privacy  Officer,  with  primary 
responsibility  for  privacy  policy  throughout  the  federal  government;  requiring  the  heads 
of  the  principal  departments  and  each  independent  agency  in  the  executive  branch  to 
appoint  a  senior  official  to  assume  primary  responsibility  for  privacy  policy;  and 
mandating  a  temporary  Commission  on  Privacy,  Freedom,  and  Homeland  Security  to 
conduct  a  comprehensive  legal  and  factual  study  relating  to  United  States  efforts  to  further 
homeland  security  in  a  manner  that  protects  privacy,  civil  liberties,  and  individual 


15  U.S.  Congress,  House  Committee  on  Government  Reform,  H.R.  4049,  to  Establish  the 
Commission  for  the  Comprehensive  Study  of  Privacy  Protection ,  hearings,  106th  Cong.,  2nd  sess., 
May  15-16,  2000  (Washington:  GPO,  2001);  also  see  U.S.  Congress,  House  Committee  on 
Government  Reform,  The  Privacy  Commission:  A  Complete  Examination  of  Privacy  Protection , 
hearing,  106th  Cong.,  2nd  sess.,  Apr.  12,  2000  (Washington:  GPO,  2001). 

16  Congressional  Record,  daily  edition,  vol.  146,  Oct.  2, 2000,  pp.  H8561-H8570,  H8588-H8589. 

17  See  Congressional  Record,  daily  edition,  vol.  147,  May  9,  2001,  pp.  S4604-S4607. 


CRS-5 


freedoms.  During  the  Clinton  Administration,  attorney  Peter  Swire  served  as  Chief 
Counselor  for  Privacy  at  OMB,  a  new  position  he  held  from  March  1999  to  January  2001 . 
The  successor  Bush  Administration  did  not  continue  the  position.  When  the  Department 
of  Homeland  Security  was  established  with  the  Homeland  Security  Act  of  2002,  the 
statute  mandated  a  Privacy  Officer  for  the  department.18  Some  other  entities  —  such  as 
the  Department  of  Health  and  Human  Services,  Department  of  Justice,  and  Internal 
Revenue  Service  —  have  an  administratively  established  Privacy  Officer. 

Representative  Meek’s  legislation,  denominated  the  Strengthening  Homeland 
Innovation  to  Emphasize  Liberty,  Democracy,  and  Privacy  Act,  or  the  SHIELD  Privacy 
Act,  seeks  to  create  new  arrangements  to  avoid  proactively  privacy  problems  or  violations 
arising  from  new  and  expanded  efforts  at  combating  terrorism.  Its  introduction  occurred 
coincidently  in  the  aftermath  of  the  March  release  of  the  report  of  the  Technology  and 
Privacy  Advisory  Committee,  a  temporary  study  panel  appointed  by  Secretary  of  Defense 
Donald  H.  Rumsfeld  in  February  2003,  following  considerable  public  controversy 
concerning  Department  of  Defense  sponsorship  of  the  development  of  data  mining 
technology  thought  by  some  to  be  threatening  to  personal  privacy  values.19  The  panel’s 
report  was  apparently  of  broader  scope  than  some  anticipated  and,  according  to  one  press 
view,  “offers  sweeping  recommendations  for  privacy  safeguards  throughout  the 
government.”20 

The  proposed  SHIELD  Privacy  Act  does  not  create  new  privacy  leadership  positions, 
but  requires  that  a  senior  official  at  OMB  and  within  the  principal  departments  and  the 
independent  agencies  be  designated  to  assume  certain  responsibilities,  specified  in  the 
legislation,  regarding  personal  privacy  policy.  The  10-member  study  commission 
established  by  the  legislation  would  be  chaired  by  a  presidential  appointee  (other  members 
would  be  appointed  by  majority  and  minority  leaders  of  the  House  and  Senate),  function 
for  two  years,  possess  subpoena  authority,  and  issue  a  final  report  (and  might  issue 
interim  reports).  The  measure  authorizes  $4,750,000  for  the  commission  to  carry  out  its 
work.  The  bill  was  referred  to  the  House  Committee  on  Government  Reform. 


18  116  Stat.  2135  at  2155. 

19  See  U.S.  Department  of  Defense,  Technology  and  Privacy  Advisory  Committee,  Safeguarding 
Privacy  in  the  Fight  Against  Terrorism  (Washington:  March  2004). 

20  Robert  Pear,  “Panel  Urges  New  Protection  on  Federal  ‘Data  Mining’,”  New  York  Times,  May 
17,  2004,  p.  A 12. 


